Re: EAP-TLS and OS X clients
Quoting a.l.m.bu...@lboro.ac.uk: SSL certs can be in various formats. Ones that are 'usable' depends on the underlying code, but the useful types are usually PEM, DER (also known as CER) and P12these are all active certs. CSR is a certificate signing request file and isn't a valid cert for client use. ... On OSX you need to ensure you have the CA installed - and TRUSTED! Thanks, Alan. That straightened some things out for me. Eventually, though, it turned out that the most important issue was with OS X 10.7 (Lion). With this particular version of Apple's OS, the facility for adding enterprise network configurations is not as flexible as it once was. Now, if something different is required, a special (free) tool must first be obtained -- the iPhone Configuration Utility -- with which to create an XML profile that can then be applied. Not exactly what I was expecting, but that's the way it is. For anyone who might be interested, here's the set of instructions that I used: If your school uses TTLS with PAP (LDAP backend) then yah, the auto connection with ethernet will not help you. That is because the default EAP type that is supported is TTLS MSCHAPv2 (which is a bit more secure that PAP --ya ya, I know it is not fool proof). Anyway, all is not lost. You have three choices on how to get an 802.1X profie that supports TTLS with PAP onto your Mac. 1. Download iPCU and create a .mobileconfig file 2. Buy Lion server and use Profile Manager 3. Create a .mobileconfig (xml file) from scratch Options 2 and 3 are kind of a pain in the rear, so let's stick with option 1. Please put on your learning hat now **Please note this example is for a wired OR wireless 802.1X connection that requires TTLS and PAP for Lion clients** 1. Download and install the iPCUhttp://support.apple.com/kb/DL851 2. Open the iPCU (the iPCU is install in Applications - Utilities) 3. In the right hand side click on Configuration Profiles. 4. Click on New. (upper left) 5. You will see a new profile with a bunch of payloads (general, passcode, restrictions, etc). Don't worry you do not need to fill most of these out. 6. Click on General and fill out a Profile Name, Identifier (they can be anything) the rest of the fields you can leave blank. I used spam and spam. 7. Now click on WiFi. Do be scared here. Lion can use WiFi profiles for Ethernet (it will just ignore the SSID field). Click configure. 7a. For SSID ..If your school has a wireless network that uses TTLS with PAP, fill in the SSID name (wireless network name) that your school uses. If your school does not use wireless, then just use an label (e.g. spam). 7b. Ignore the hidden network field (unless of course your school uses a hidden SSID and you want to use wireless for this connection). 7c. Security Type ..Again if this is for Ethernet, just use WPA/WPA2 Enterprise. If this profile is going to be used for WiFi, then you need to find out what type of security your school uses. Most likely it will be WPA/WPA2 Enterprise (I hope). 7d. Once you choose WPA/WPA2 Enterprise you will see more options appear. Choose TTLS. 7e. Ignore EAP-FAST settings. Leave all boxes unchecked for EAP-FAST. 7f. For Inner Authentication choose PAP. 8. You will see three tabs, one for protocol (that you already filled out), one for Authentication and one for Trust. You can ignore trust unless you have the certificate from the radius server already loaded on your client. Don't worry if you do not have the cert, the Mac will load it (with your permission) during the first authentication. Ignore the Authentication tab for now. 9. Now look at the top left of the tool and choose Export 9a. for Security, just choose none (don't worry about signing it) 9b. Hit Export. 10. You will get a Save As dialogue box. Give the profile a name (like spam or something) and choose where you would like to save the profile. 11. Now goto where you save your profile and double click it. System Prefs will launch and try to install the profile. 11a. Just hit continue and continue again. 11b. You will be prompted for settings which are the username and password. You can either just hit install (the eapol supplicant will ask you for your credentials during the authentication phase) or you can fill them out now. BE SURE TO INPUT THE CORRECT INFORMATION. If you insert a bad username or password into this field, it will get saved as a keychain entry (with bad info) and you will never be able to connect. The Mac will just silently fail authentication until you delete the keychain entry and do a fresh auth. Save yourself some trouble and leave the fields blank and just hit install. 11c. You will be prompted for your admin password to install the profile. 12. The profile should be installed now. 13. In system prefs, click show all then click network. 14. If you click on your Ethernet interface you should now
Re: EAP-TLS and OS X clients
Hi, Eventually, though, it turned out that the most important issue was with OS X 10.7 (Lion). With this particular version of Apple's OS, yes, I know. Apple suck for doing this. I manage campus network at Loughborough university and eduroam federation in the UK and so am well aware of OSX and their idea of making OSX have the same .mobileconfig method as iOS. you might want to look into 'eduroam CAT' tool - as your NREN federation/eduroam people about it. whoa re your instructions aimed at? I worry a great deal about them because you arent telling them to install/verify a CA or a RADIUS server for the connection (thus basically negating the whole point of PKI!) and the site might use EAP-FAST (some places actually do more than just EAP-TTLS). also, end users dont need to run this tool! you (the admin) so all the hard work of configuring the profile and then just provide the end user/customer the *SIGNED* mobileconfig file alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS and OS X clients
Quoting a.l.m.bu...@lboro.ac.uk: you might want to look into 'eduroam CAT' tool - as your NREN federation/eduroam people about it. Thanks very much! I'll look into it. whoa re your instructions aimed at? I worry a great deal about them because you arent telling them to install/verify a CA or a RADIUS server for the connection (thus basically negating the whole point of PKI!) and the site might use EAP-FAST (some places actually do more than just EAP-TTLS). also, end users dont need to run this tool! you (the admin) so all the hard work of configuring the profile and then just provide the end user/customer the *SIGNED* mobileconfig file Oh, hey, I thought I was just sharing this information with a bunch of lazy sysadmins, some of whom might be interested to know how I eventually managed to connect OS X 10.7 (Lion) hosts to my wifi network. As I mentioned in my previous post, I did not author those instructions. I'm also not in the habit of re-posting information written by others, but although they may not be perfect, I thought they were helpful and then suddenly became worried that Apple might make them disappear at one point or another (it wasn't exactly easy information to find). Moreover, I explained that I was using a WPA2-Enterprise configuration with Freeradius 2.1.0, EAP-TLS and 4096-bit SHA-1 in my first post in this thread on Sunday 17 Feb. Cheers, Jaap - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS and OS X clients
Hi folks, My WPA2-Enterprise configuration with Freeradius 2.1.0, EAP-TLS and 4096-bit SHA-1 certificates works great with wpaspplicant on Linux, but can anyone help me understand how to get this to work for OS X (Lion) clients? My Linux client uses a copy of the ca.pem file to establish the link (after which PAP is used to authenticate), but although the same ca.pem file can be imported into the OS X client's keychain, this certificate never shows up as a selectable identity when configuring EAP-TLS wireless access, like in this case (bottom of the page): https://wiki.thayer.dartmouth.edu/display/computing/Configuring+an+OS+X+Mac+for+the+Dartmouth+Secure+Wireless+Network In this example, the users are given a personalized *.cer certificate to add to their keychain. Since I don't have any client.cer files, I tried this approach with a client.csr file instead, which seemed personalized enough, but still I run into the same roadblock. Can anyone say what I should be doing differently? E.g. are *.cer certificates mandatory (if so, how can I make them?), or can I not use my self-signed certificates? Thanks, Jaap - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS and OS X clients
Jaap Winius wrote: Can anyone say what I should be doing differently? E.g. are *.cer certificates mandatory (if so, how can I make them?), or can I not use my self-signed certificates? I'm always use pem or crt files, not *.cer. It works on my Mac. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS and OS X clients
Hi, https://wiki.thayer.dartmouth.edu/display/computing/Configuring+an+OS+X+Mac+for+the+Dartmouth+Secure+Wireless+Network In this example, the users are given a personalized *.cer certificate to add to their keychain. Since I don't have any client.cer files, I tried this approach with a client.csr file instead, which seemed personalized enough, but still I run into the same roadblock. Can anyone say what I should be doing differently? E.g. are *.cer certificates mandatory (if so, how can I make them?), or can I not use my self-signed certificates? rightSSL cerst can be in various formats. ones that are 'usable' depends on the underlying codebut the useful types are usually PEM, DER (also known as CER) and P12these are all active certs CSR is a certificate signing request file and isnt a valid cert for client use. if you have one type you can easily convert it to any of the other formats using 'openssl' on the command line of a Linux or OSX system - the command format isnt trivial...but its fairly obvious, the man pages over it and there are MANY web pages out there telling you how to do it. under Linux, most of the network admin tools for WPA2/WPA enterprise are fairly limited and fussy about certificates, how and where they are installed...on OSX you need to ensure you have the CA installed - and TRUSTED! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html